Burp Extensions in Python & Pentesting Custom Web Services – labs.neohapsis.com
Burp is the de facto standard for professional web app assessments and with the new extension API (released December 2012 in r1.5.01) a lot of complexity in creating Burp extensions went away. The official API supports Java, Python, and Ruby equally well. Given the choice Patrick Thomas take Python any day, so these instructions will be most applicable to the parseltongues.

Web Services Penetration Testing Part 1 – resources.infosecinstitute.com
The reason to write this article is that the use of web services increased in last couple of years in a major ratio and also the data which flows in web services are very sensitive. This makes web services again an important attack vector. Focus of this article are on details of web services, its testing approach, tools used for testing etc.

PowerSploit: The Easiest Shell You’ll Ever Get – www.pentestgeek.com
The easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit. That is the easiest and most convenient AV-bypass Chris Campbell has ever seen! Just open PowerShell and type a command.

The Hackers Guide To Dismantling IPhone

The Hackers Guide To Dismantling IPhone (Part 2) – securityhorror.blogspot.com
This post is the second part of the series “The Hackers Guide To Dismantling IPhone” and is going to describe how to perform all types of iPhone network attacks on any iPhone. This post is also going to explain how to set up the testing environment for hacking an iPhone also.

The Hackers Guide To Dismantling IPhone (Part 3) – securityhorror.blogspot.com
On May 7, 2013, as a German court ruled that the iPhone maker must alter its company policies for handling customer data, since these policies have been shown to violate Germany’s privacy laws. Finally, the court also prohibited Apple from supplying such data to companies which use the information for advertising. But why does this happen?

When Domain Admin Is Not Enough – blog.gdssecurity.com
When conducting a network pentest we often find the goal of the tester, at least on a Windows domain network test, is to get Domain Admin. That is well and good, but for impact nothing beats capturing the CIOs desktop, documents or e-mail. So how do we get there?

JBOSS JMXInvokerServlet Exploit – breenmachine.blogspot.com
Recently ran into a JMXInvokerServlet that didn’t require authentication. While there is a Metasploit module for this, it wasn’t working for various reasons. Inspired by Matasano, Stephen Breen wrote up some custom exploit code for this.

Vendor/Software Patches

It’s about time: Java update includes tool for blocking drive-by exploits – theregister.co.uk
Oracle’s latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java. After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing vulnerabilities its top priority for JDK 7.

Java SE Downloads – www.oracle.com
The update is available from the usual Java download website here.

Vulnerabilities

Microsoft: IE Zero Day Flaw Affects All Versions – krebsonsecurity.com
Microsoft said that attackers are exploiting a previously unknown, unpatched vulnerability in all supported versions of its Internet Explorer Web browser. The company said it is working on an official patch to plug the security hole, but in the meantime it has released a stopgap fix to help protect affected customers.

iOS 7 Bug

iOS 7 Bug Lets Anyone Bypass iPhone’s Lockscreen To Hijack Photos, Email, Or Twitter – forbes.com
Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. A spokesperson from Apple tells that the company takes security very seriously and they are aware of this issue.

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.